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SUMMARY 

We examine a class of hybrid systems which we call Composite Hybrid Machines (CHMs) that con- 
sists of the concurrent (and partially synchronized) operation of Elementary Hybrid Machines (EHMs). 

Legal behavior, specified by a set of illegal configurations that the CHM may not enter, is to be 
achieved by the concurrent operation of the CHM with a suitably designed legal controller. In the present 
paper we focus on the problem of synthesizing a legal controller, whenever such a controller exists. 
More specifically, we address the problem of synthesizing the minimally restrictive legal controller. 

A controller is minimally restrictive if, when composed to operate concurrently with another 
legal controller, it will never interfere with the operation of the other controller and, therefore, can 
be composed to operate concurrently with any other controller that may be designed to achieve liveness 
specifications or optimality requirements without the need to reinvestigate or reverify legality of the 
composite controller. 

We confine our attention to a special class of CHMs where system dynamics is rate-limited and 
legal guards are conjunctions or disjunctions of atomic formulas in the dynamic variables (of the type 
x < xq or x > xq). We present an algorithm for synthesis of the minimally restrictive legal controller. 

We demonstrate our approach by synthesizing a minimally restrictive controller for a steam boiler 
(the verification of which recently received a great deal of attention). 

1 INTRODUCTION 

Various definitions have been proposed in the literature to capture the intuitive idea that 
hybrid systems are dynamic systems in which discrete and continuous behaviors coexist and interact 
(refs. 1-6). Broadly speaking, they are systems in which change occurs in response to events that take 
place discretely, asynchronously, and sometimes nondeterministically and also in response to dynamics 
that represents (causal) evolution as described by differential or difference equations of time. Thus, 
most physical systems that can be represented by formal behavior models are hybrid in nature. 

’This research is supported in part by the National Science Foundation under grant ECS-93 15344 and NASA under grant 
NAG2-1043 and in part by the Technion Fund for Promotion of Research. 

The work by the first author was completed while he was a Senior NRC Research Associate at NASA Ames Research 
Center, Moffett Field, CA 94035. 
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In recent years there has been a rapidly growing interest in the computer-science community in 
modeling, analysis, formal specification, and verification of hybrid systems (see, e.g., references 2 and 7). 
This interest evolved progressively from logical systems, through “logically timed” temporal systems 
(refs. 8 and 9) to real-time systems modeled as timed-automata and, most recently, to a restricted class 
of hybrid systems called hybrid automata (ref. 1). Thus, the computer-science viewpoint of hybrid 
systems can be characterized as one of discrete programs embedded in an “analog” environment. 

In parallel, there has been growing interest in hybrid systems in the control-theory community, 
where traditionally systems have been viewed as “purely” dynamic systems that are modeled by dif- 
ferential or difference equations (refs. 3, 4, and 10). More recently, control of purely discrete systems, 
modeled as discrete-event systems, also received attention in the literature (refs. 11 and 12). The grow- 
ing realization that neither the purely discrete nor the purely continuous frameworks are adequate for 
describing many physical systems has been an increasing driving force to focus attention on hybrid 
systems. Contrary to the computer-science viewpoint that focuses interest in hybrid systems on issues 
of analysis and verification (refs. 13-15), the control-theory viewpoint is to focus its interest on issues 
of design. Typical hybrid systems interact with the environment both by sharing signals (i.e., by trans- 
mission of input/output data) and by event synchronization (through which the system is reconfigured 
and its structure modified). Control of hybrid systems can therefore be achieved by employing both 
interaction mechanisms simultaneously. Yet, while this flexibility adds significantly to the potential 
control capabilities, it clearly makes the problem of design much more difficult. Indeed, in view of the 
obvious complexity of hybrid control, even the question of what are tractable and achievable design 
objectives is far from easy to resolve. 

In the present paper we examine the control problem for a restricted class of hybrid systems that 
we call composite hybrid machines (CHMs). We confine our attention to bounded rate CHMs, in which 
the dynamic rates are bounded by lower and upper constant bounds. Control is confined to event 
synchronization; that is, the controller can affect the system’s behavior only by discrete commands. 
These hybrid systems are a generalization of timed automata, which in turn generalize discrete event 
systems by introducing real-time constraints. For such systems it is natural to specify the control 
objective in terms of safety constraints and liveness constraints, much in the spirit of the control of 
discrete-event systems. Indeed, this generalization is on one hand simple enough to be computationally 
tractable, and on the other hand complex enough to provide some substantial new insight and a sense 
of new research direction. 


2 DESIGN PHILOSOPHY 

Intuitively, a controller for legal behavior of a hybrid system is minimally restrictive if it never takes 
action unless constraint violation becomes imminent. When this happens, the controller is expected to 
do no more than prevent the system from becoming “illegal.” This is a familiar setting in the discrete- 
event control literature, where the role of the controller has traditionally been viewed as that of a 
supervisor that can only intervene in the system’s activity by event disablement (refs. 1 1 and 12). Thus, 
a minimally restrictive supervisor of a discrete-event system is one that disables events only whenever 
their enablement would permit the system to violate the specification. 
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It is not difficult to see that a natural candidate for a “template” of a minimally restrictive supervisor 
is a system whose range of possible behaviors coincides with the set of behaviors permitted by the 
specification. The concurrent execution of the controlled system and such a supervisor, in the sense 
that events are permitted to occur in the controlled system whenever they are possible in the controller 
template, would then constrain the system to satisfy the specification exactly. We shall then say that 
we have employed the specification as a candidate implementation. If all the events that are possible 
in the system but not permitted by the candidate supervisor can actually be disabled, we say that 
the specification is implementable or (when the specification is given as a legal language) controllable 
(ref. 1 1). Generally, a specification may not be implementable because not all the events can be disabled. 

The standard approach to supervisory controller synthesis can then be interpreted as an iterative 
procedure where, starting with the specification as a candidate implementation, at each stage of the 
iteration the specification is tightened so as to exclude behaviors that cannot be prevented from becoming 
illegal by instantaneous disablement of events (refs. 16 and 17). The subspecification thus obtained is 
then used as a new candidate implementation. When the procedure converges in a finite number of steps 
(a fact guaranteed in case the system is a finite automaton and the specification a regular language), the 
result is either an empty specification (meaning that a legal supervisor does not exist) or a minimally 
restrictive implementable subspecification. 

In the present paper we shall employ the same design philosophy for the synthesis of minimally 
restrictive controllers of hybrid systems. While the approach is, in principle, very general and can be 
employed for a wide range of specifications, we confine our attention in the present paper to a restricted 
class of safety specifications. In particular, we shall consider only the problem where the controller is 
required to prevent the system from entering a specified set of illegal configurations. Although we shall 
not show this explicitly in this paper, a wide class of specifications can be transformed into the setting 
considered here. 

We shall restrict our attention further to bounded-rate hybrid systems. That is, we consider systems 
in which the rates of the dynamic variables are bounded by finite constants. It is not difficult to show 
that, even in this simple case, the question of existence of a controller may be computationally rather 
tricky. 


3 HYBRID MACHINES 

We first introduce a modeling formalism for a class of hybrid systems which we call hybrid machines 
and which are a special case of hierarchical hybrid machines to be discussed elsewhere (Heymann and 
Lin, Hierarchical Hybrid Machines, in preparation). Hybrid machines are similar in spirit to hybrid 
automata as introduced in reference 1 . We begin by an informal example. 

3.1 Illustrative Example 

Figure 1 describes schematically a hybrid system that consists of a water tank with water supplied 
by a pump and with outflow controlled by a two-position valve. 
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Pump 


Tank 

Figure 1 . Water tank system. 


Valve 


The system is described graphically in figure 2 as a CHM that consists of three elementary hybrid 
machines (EHMs) running in parallel: 

PU M P\\T AN K\\V ALV E 

The EHM Tank has three vertices: <high>, <normal>, and <low>, representing the tank’s high, 
normal, and low levels, respectively. The dynamic behavior of the tank’s water level L is described 
by the equations x = V — F, L = x, where x is the (internal) state of the vertex, and V and F are 
the rates of water inflow and outflow, respectively. The quantities V and F constitute input signals to 
the EHM Tank and output signals of the EHMs Pump and Valve, respectively. Tank may reside at 
a given vertex provided the vertex invariant [.] is true. Thus, it may reside at the vertex <normal> 
so long as the invariant [ L\<L/\L<L2 ] is satisfied, and similarly for the other vertex invariants. The 



Pump Tank Valve 

Figure 2. Water tank system CHM. 








transitions between the three vertices are dynamic in the sense that they are triggered, respectively, by 
the guards [L > L 2 ], [ L<Lf\ , [L>L\] and [L < L{\ becoming true. The self-loop dynamic transition 
of the vertex <normal> labeled by [ L<L\ 4- A] —*pump — on is guarded by the predicate [L<L\ + A] 
and upon occurrence triggers the output event pump — on. (Throughout, underlined event labels denote 
input events and overlined event labels denote output events.) Similarly, the other self-loop tran sition 
of the vertex <normal> is guarded by [L>L ,2 — A] and triggers the output event pump — off. The 
EHM Tank is initialized at the vertex <normal> with initial water level Lq (that lies between the lower 
bound L\ and the upper bound L 2 ). 

The EHM Pump has two vertices: < offp > and < onp >. At the vertex < offp >, the pump 
is off, reflected by the vertex output V = 0. Similarly, at the vertex < onp >, the pump is running 
and the vertex output V is the pump’s (constant) flow rate P. The transitions between the two vertices 
are labeled by the input event labels pump — on and pump — off - These transitions are triggered by 
and take place concurrently and synchronously with the output events pump - on and pump - off, 
respectively. 

Finally, the EHM Valve can be at either of the vertices < openy > or < closedy >• Transitions 
between the two vertices are labeled by input events valve_ — open and valve — closed , respectively. 
These transition labels do not appear as output events in any of the other parallel EHMs but can be 
received from the (unmodeled) environment. When Valve is closed the rate of outflow is F = 0, and 
when it is open the rate is proportional to the water level in the tank F = KL. 

Notice that there are two mechanisms for communication between parallel EHMs: (1) Input/output- 
event synchronization, by which transitions are synchronized. Transitions labeled by input events can 
take place only in synchrony with a corresponding output event that is being transmitted either by a 
parallel EHM or by the environment. (2) Signal sharing, by which outputs (output signals) of a vertex 
are available as vertex inputs to any other parallel EHM. 

3.2 Elementary Hybrid Machines 

With the above illustrative example in mind, we can now formally define hybrid machines as 
follows. An elementary hybrid machine is denoted by 

EHM = (<?, E, D, I, E, ( q 0 , x 0 )) 

The elements of EHM are as follows. 

• Q is a finite set of vertices. 

• E is a finite set of event labels. An event is an input event, denoted by a (underline), if it 
is received by the EHM from its environment; and an output event, denoted by a (overline), if it is 
generated by the EHM and transmitted to the environment. 

• D = {dq = ( x q , y q , u q , f q ,h q ) : q e Q } is the dynamics of the EHM, where d q , the dynamics 
at the vertex q, is given by 

iq = fq{ x q> u q) 

Vq — hq(x q ,U q ) 
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with x q , Uq, and y q , respectively, the state, input, and output variables of appropriate dimensions. f q 
is a Lipschitz continuous function and h q a continuous function. (A vertex need not have dynamics 
associated with it — that is, d q = 0, in which case we say that the vertex is static.) 

• / = {I q : q € Q} is a set of invariants. I q represents conditions under which the EHM is 
permitted to reside at q. A formal definition of Iq will be given in the next subsection. 

• E = {( q,G A a — ► a',q',x^,) : q,q' € Q } is a set of edges (transition paths), where q is the 

exiting vertex, q' the entering vertex, a the input event, a' the output event, G the guard to be formally 
defined in the next subsection, and x®, the initialization value for x q i upon entry to q' . 

(q,G A a —> cr / , q r , x^, ) is interpreted as follows. If G is true and the event a is received as an input, 
then the transition to q' takes place with the assignment of the initial condition x q i(to) = x®, (here fo 

denotes the time at which the vertex q' is entered). The output event a' is transmitted at the same time. 
If a is absent, then the transition takes place immediately upon G becoming true; if a' is absent, then no 
output event is transmitted; if G is absent, the guard is always true and the transition will be triggered 
by the input event a; and if x®, is absent, then the initial condition is inherited from x q (assuming x q 
and x q i represent the same physical object and hence are of the same dimension). 

• (9o> x o) denote the initialization condition: qo is the initial vertex and x 9o (fo) = ^o- 

For the EHM to be well defined, we require that the vertices be completely guarded with each possible 
invariant violation. That is, every invariant violation implies that some guard becomes true and the 
associated transition is input event-free in the sense that it has the form (q, G — * a', q', x®,). (It is, in 
principle, permitted that more than one guard become true at the same instant. In this case the transition 
that will actually take place is resolved nondeterministically.) Note that we do not require the converse 
to be true. That is, a transition can be triggered even if the invariant is not violated. We do require 
that, upon entry to q ' , the invariant I q i not be violated. It is, however, possible that upon entry to q' 
one of the guards at q' is already true. In this case, the EHM will immediately exit q' and go to the 
vertex specified by the guards. Such a transition is considered instantaneous. Naturally, we only allow 
finite chains of such instantaneous transitions. That is, the guards must be such that no sequence of 
instantaneous transitions will form a loop. 

In this paper we shall study a restrictive class of hybrid machines by making the following 
assumption. 

Assumption 1 The dynamics described by f q and hq has the following properties: (1) h q (x q ,u q ) is 
a linear function; and (2) fq{x q ,u q ) is bounded by a lower limit k q and an upper limit k q , that is, 
fqi^q^q) £ [kq , k q ]. 

An execution of the EHM is a sequence 

ei.ti ^2,^2 C3,<3 

90 — *91 — *92 — * - 

where ej is the ith transition and is the time when the ith transition takes place. For each execution, 
we define its trajectory, path, and trace as follows. 
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• The trajectory of the execution is the sequence of the vector time functions of the state variables: 


Xq Q 5 X q\ ) ^Q2 ) ' ** 

where x qi = {x qi {t.) : t G [ti,t i+ 1)}. 

• The path of the execution is the sequence of the vertices. 

• The input trace of the execution is the sequence of the input events. 

• The output trace of the execution is the sequence of the output events. 


Remark 1 It is easily seen that discrete-event systems and continuous-variable systems are special cases 
of the hybrid systems as described above. Indeed, we note that if there is no dynamics in an EHM (and 
hence no D and I), then 


EHM = (Q,Z,E,q o) 

where edges E are labeled only by events: a typical discrete-event system. Similarly, if there is no 
event and only one vertex in an EHM (and hence no need to introduce Q, E, I, and E), then 

EHM = (D, x 0 ) = (x, y, it, /, h, x 0 ) 

which is a typical continuous-variable system. 


3.3 Composite Hybrid Machine 

A composite hybrid machine consists of several elementary hybrid machines running in parallel: 

CHM = EHM 1 \\EHM 2 \\...\\EHM n 

Interaction between EHMs is achieved by means of signal transmission (shared variables) and input/output- 
event synchronization (message passing) as described below. 

Shared variables consist of output signals from all EHMs as well as signals received from the 
environment. They are shared by all EHMs in the sense that they are accessible to all EHMs. A 
shared variable can be the output of, at most, one EHM. If the EHM of the output variable does not 
update the variable, its value will remain unchanged. The set of shared variables defines a signal space 

S = [5i , S2 , ■•■1 •S'm] • 

Transitions are synchronized by an input/output synchronization formalism. That is, if an output 
event o is either generated by one of the EHMs or received from the environment, then all EHMs for 
which a is an active transition label (i.e., a is defined at the current vertex with a true guard) will 
execute a (and its associated transition) concurrently with the occurrence of a. An output event can 
be generated by, at most, one EHM. Notice that input events do not synchronize among themselves. 
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Notice further that this formalism is a special case of the prioritized synchronous composition formalism 
(ref. 18), where each event is in the priority set of, at most, one parallel component. 

By introducing the shared variables S, we can now define invariants and guards formally as boolean 
combinations of inequalities of the form (called atomic formulas) 

Si > Ci or Si < Ci 


where Si is a shared variable and C L is a real constant. 

To describe the behavior of 

CHM = EHM l \\EHM 2 \\...\\EHM n 


we define a configuration of the CHM to be 

q =< qI , 4’ •••’ C > e Q l x Q 2 x - x Q n 

where Q J is the set of vertices of EHM J (components of the EHMs are superscripted). 

When all the elements of q are specified, we call q a full configuration. When only some of the 
elements of q are specified, we call q a partial configuration and we mean that an unspecified element 
can be any possible vertex of the respective EHM. For example, < qj^, ■■■,q? n > is interpreted as the 
set 


< >= 9?i >: q l 6 3 1 } 


of full configurations. Thus, a partial configuration is a compact description of a set of (full) 
configurations. 


A transition 


< q h > 9 ; 


2 

h' 




>- 


'< q}> 




1 n 


> 


of a CHM is a triple where < qj ,qf > is the source configuration, < q\, ,qf, n > the 

target configuration, and l the label that triggers the transition. I can be either an event or a guard 
(becoming true). Thus, if / = a is an event (generated by the environment), then either qj, = qj^ if a 

is not active at of , or q J , is such that (of , o —* o ' , of, , x° f ) is a transition in EE On the other hand, 

lj l j ij 1 3 

1 3 

if l = G is a guard, then there must exist a transition {q^G — * cr',q™ ,ayn ) in some EHM m and 
for j ^ m, either q J , — qj if o' is not defined at of., or q 3 ., is such that (q 3 - — * a", q 3 , , x° 7 ) is a 

u ij lj l a n J . 

transition in EE 
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Recall that our model also allows guarded event transitions of the form 



However, since for the transition to take place the guard must be true when the event is triggered, a 
guarded event transition can be decomposed into 


G 



where q has been partitioned into q\ and < 72 , with I q \ = Iq A ->G and I q 2 = Iq A G. It follows that a 
guarded event transition can be treated as a combination of a dynamic and an event transition. 

Thus, transitions in CHMs can be classified into two types: (1) dynamic transitions, which are 
labeled by guards only, and (2) event transitions, which are labeled by events. 

The transitions are considered to occur instantaneously, and concurrent vertex changes in parallel 
components occur at exactly the same instant (even when constituting a logically triggered finite chain 
of transitions). 


Remark 2 Based on the above definition, a CHM can be viewed as the same object as an EHM: 

CHM = (Q, E, D, I, E, (go, x 0 )) 


where 


Q = 

Q 1 x Q 2 x ... x Q n 



£ = 

E 1 U£ 2 U...US" 



D = 

{(x q ,y q ,Uq,fq,h q ) : q =< 

., qf n >e Q 1 X Q 2 x . 

.. x Q 71 } 


combines all the dynamics of q{ ,j - 

= 1,2 ,.:,n 


I = 

S' 

> 

•o'" 

> 

> 

3 s * 

A 

,gf n >GQ 1 xQ 2 x.. 

. x Q n } 

E 

is defined as above 



(oa,xo) = 

(< 9o>?0'->9o >,(4^0’-> x o)) 




Therefore, we can define an execution of a CHM in the same way as that of an EHM. 

4 CONTROL 
4.1 Specifications 

As stated in the previous section, a CHM can interact with its environment in two ways: 
(1) by signal transmission (shared variables), and (2) by input/output-event synchronization. Formally, 
a controller of a CHM is a hybrid machine C that runs in parallel with the CHM. The resultant system 

CH M\\C 
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is called the controlled or closed loop system. The objective of control is to force the controlled system 
to satisfy a prescribed set of behavioral specifications. 

For conventional (continuous) dynamical systems, control specification might consist of the require- 
ment of stability, robustness, disturbance rejection, optimality and the like. For discrete-event systems, 
specifications of required behavior are typically given as safety specifications, where a prescribed set 
of unwanted behaviors or configurations is to be avoided, or liveness specifications, where a prescribed 
set of termination conditions is to be met, or both. 

For general hybrid systems, specifications can, in principle, be of a very complex nature incorpo- 
rating both dynamic requirements and the logical (discrete) aspects. 

In the present paper we consider only safety specifications given as a set of illegal configurations 
Qb = {q =< •••>?," >e Q l X Q 2 X ... X Q n : q is illegal} 

that the system is not permitted to visit. 

Our goal is to synthesize a controller that guarantees satisfaction of the above stated configuration- 
based safety requirement. A controller that achieves the specification is then said to be legal. 

In this paper, we shall consider only restricted interaction between the controller and the CHM by 
permitting the controller to communicate with the CHM only through input/output-event synchronization. 
Thus, we make the following assumption. 

Assumption 2 C can only control the CHM by means of input/output-event synchronization. That is, 
C can only control event transitions in the CHM. 

Thus, the controller is assumed not to generate any output signals that may affect the CHM. 

We shall assume further that C can control all the event transitions in the CHM. That is, all the 
(externally triggered) event transitions are available to the controller. This leads to no essential loss 
of generality because, when some of the events are uncontrollable, we can use the methods developed 
in supervisory control of discrete-event systems (refs. 11 and 12) to deal with uncontrollable event 
transitions. We shall elaborate on this issue elsewhere. 

A legal controller C is said to be less restrictive than another legal controller C' if every execution 
permitted by C' is also permitted by C (a formal definition will be given in the next subsection). A 
legal controller is said to be minimally restrictive if it is less restrictive than any legal controller. 

With a slight modification of the formalism that we shall present here, two or more controllers can 
be combined by parallel composition to form a composite controller. An important characteristic of a 
minimally restrictive controller is the fact that when it is combined with any other controller (legal or 
not) that is possibly designed for satisfying some other specifications, such as liveness or optimality, 
the combined controller is guaranteed to be safe (i.e., legal). Hence, no further verification of safety 
will be needed. Furthermore, the minimally restrictive controller will intervene with the action of the 
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other controller only minimally; that is, when it is absolutely necessary to do so in order to guarantee 
the safety of the system. 


4.2 Control Synthesis 

As stated, our control objective is to ensure that the system CHM never enters the set of illegal 
configurations Q b . Such entry can occur either via an event transition or via a dynamic transition. 
Since all event transitions are at the disposal of the controller, prevention of entry to the illegal set 
via event transitions is a trivial matter (they simply must not be triggered). Therefore, in our control 
synthesis we shall focus our attention on dynamic transitions. Intuitively, the minimally restrictive legal 
controller must take action, by forcing the CHM from the current configuration to some other legal 
configuration, just in time (but as late as possible) to prevent a dynamic transition from leading the 
system to an illegal configuration. Clearly, entry to a configuration which is legal but at which an 
inescapable (unpreventable) dynamic transition to an illegal configuration is possible, must itself be 
deemed technically illegal and avoided by the controller. Thus the controller synthesis algorithm that 
we present below will iterate through the (still) legal configurations and examine whether it is possible 
to prevent a dynamic transition from leading to an illegal configuration. In doing so, it will frequently 
be necessary to “split” configurations by partitioning their invariants into their legal and illegal parts. 

To streamline the ensuing analysis, we shall assume that the invariants of all legal configurations 
are expressed in conjunctive normal form 

I = (/n V.-.V/^j ) A... A(/ m i V...V/ m / m ) 

where hj={Sij > C tj ) or I tJ ={S tJ < C tj ). Similarly, all the guards are in conjunctive normal form 

G = (G 11 V...VG? 1 | 1 )A...A(G ro iV...VG m/m ) 

where Gij=(Sij > Cjj) or Gjj=(5jj < Cy)» representing some semi-open intervals. 1 Without loss 
of generality, we shall assume that the invariant is violated if and only if one or more of the guards is 
true. (Otherwise, we can conjoin with the invariant the negation of the guards.) 

Let us consider a legal configuration q. As discussed earlier, we assume that transitions leaving q 
are either dynamic transitions or event transitions, and can lead to either legal or illegal configurations. 
Therefore, we classify the transitions into four types: 

1. Legal event transitions that lead to legal configurations 

ETg(q , Q b ) = {(?, <T, q') : q q' A q' £ Q b } 

2. Illegal event transitions that lead to illegal configurations 

ET b (q, Q b ) = {(q, a, q') : q q' A q' € Q b } 

^More generally, we only require that guards leading to illegal configurations be described by semi-open intervals. 
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3 . Legal dynamic transitions that lead to legal configurations 


DTg(q, Q b ) = {( 9 , G, </):? — «' A q' £ Q b } 
4 . Illegal dynamic transitions that lead to illegal configurations 

DT b (q, Q b ) = {( q , G, q'):q-^q' A q'£ Q b } 


Since transitions in ET b (q , can be prevented by simply not being triggered, we need not discuss 
them further. If DT b (q, Q b ) = 0 , then no dynamic transition from q leads to an illegal configuration and 
hence there is no need to split q. Otherwise, if DT b (q,Q b ) ^ 0 , we may need to split q as discussed 
below. Let us consider the different cases. 

Case 1 DTg{q, Q b ) = 0 

Since DT g (q,Q b ) = 0 , the only way to prevent transitions in DT b (q,Q b ) from taking place is 
for the controller to trigger an event transition (q,a, q') € ET g (q,Q b ), provided this set is nonempty, 
thereby forcing the CHM from q to q ' . However, such a transition may be legally triggered only 
if the invariant I q r is satisfied upon entry to q' . (Notice that if q' is the legal subconfiguration of 
a configuration whose invariant has been split to a legal part and an illegal part, satisfaction of the 
invariant I q i is not automatically guaranteed when a is triggered.) Thus, let us define wp{q,a,q') to 
be the weakest precondition under which the transition ( q,a,q ') will not violate the invariant I q i upon 
entry to q' . Since some of the shared variables that appear in I q i are possibly (re-)initialized upon 
entering q ' , the condition wp(q,a,q ! ) can be computed from I q r by substituting into I q > the appropriate 
initial (entry) values of all the variables that are also output variables of q' . That is, if yj is the jth 
output variable of q' and S; = j/j is a shared variable that appears in I q i, then the value of S* must be 
set to 

Si = hj(x ql , u q t) 


If I q t< 6 > wp(q,a,q'), then we shall split the configuration q into two subconfigurations q\ and <72 
by partitioning the invariant I q (and associating with each of the subconfigurations the corresponding 
invariant) as 


Iqi = I q Awp{q,a,q') 

Iq 2 = Iq a ->■ wp{q,a,q ') 

Clearly, the dynamics of and the transitions leaving and entering the configurations q\ and 92 are the 
same as for q, except that the transition (<72 > £1 Q 1 ) ' s not permitted or is impossible (because of the 
invariant violation). Also, the transition from q\ to <72 > s dynamic with the guard -> wp(q,a,q '), and 
from <72 to Ql £ he guard wp(q,a,q'). 

Clearly, q\ is legal in the sense that from it the transition to the legal configuration q' can be forced, 
while 52 is not legal. From 51, the dynamic transitions in DT b (qi,Q b ) and the dynamic transition 
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(qi,-'wp(q,a,q'),q2) are illegal and must not be permitted. To prevent these transitions from taking 
place in a minimally restrictive manner, a must be forced just before any one of them can actually take 
place. In other words, a must be forced just before hi becomes false. To find the condition under 
which a needs to be forced, we note that, by our assumption on invariants, Iqi will have the conjunctive 
normal form 

hi — (^llV-VP ifj )A...A(P m i V...VP m / m ) 

where Pij=(Sij > C L] ) or P l] —{S l] < C t j ), representing semi-closed intervals. Therefore, we would 
like to force o_ exactly on the boundary. Recall that, by assumption, the shared variables S{ are rate- 
bounded; that is, 5 j€[rj L , r^}, where and rp are the lower and upper bounds, respectively. Thus, 
for a predicate P = (S t < Cj), we define 


critical(P) 


(Si>Ci) \fn u >0 

false otherwise 


Similarly, for P = (Sj > Cj), 

critical(P) 


(Si<Ci) if r t L < 0 
false otherwise 


For conjunction of two predicates P = P\ A P2, 


critical(P) = critical(P\) V critical(P2 ) 


and for disjunction of two predicates P = P\ V P2, 

critical(P) = critical(P\) A critical(P2) 


The condition under which the transition (g, a, q 1 ) will be forced is then 

critical(I qi ) = critical(Iq A wp(q,a,q')) 


If there are more than one legal event transition in ET g (q,Qb), then we shall split q into q\ and 
q2 as follows. 

hi = h A ( V (<^,a,< ^ ')€£T 9 ( g ,Q {> ) w P(9>^9 , )) 

Iq 2 =Iq A ->(V (q,a,q')eET g (q,Q b ) w P^^^')) 

The condition under which a legal event transition {q,<r, q 1 ) needs to be forced is given by 

critical(Iqi) A wp(q , a, q') 
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Case 2 ET g (q,Q( ) ) = 0 


Since ET g (q,Q = 0, the transitions in DT^q^Qb) will be prevented from taking place only if 
they are either preempted by some dynamic transitions in DT g (b,Qi) or will never take place due to 
the dynamics at q. 

Note that, because of configuration splitting, the target configuration of a dynamic transition guarded 
by a guard G may depend on the dynamic condition at the source configuration at the instant when G 
becomes true. Thus, if the configuration q' is split into q[ and q ' 2 , then we may have either (q,G,q[) € 
DT g (q,Qij ) or ( q,G,q2 ) € DT^(q,Qi,), depending on the dynamic conditions. To deal with such cases 
effectively, it will be convenient to modify ( q,G,q ') by the following equivalent dynamic transition 

{q,G A wp(q, G, q'),q r ) 

where wp(q,G,q') is the weakest precondition under which the transition ( q,G,q ') will not violate the 
invariant I q i upon entry to q'. wp(q,G,q') is calculated in the same way as wp(q,a,q'). 

To find the condition under which a dynamic transition ( q,G,q ') € DT^q.Qi) will be preempted 
by another dynamic transition (i.e., ( q,G,q ') will not take place), let us consider first the time at which 
a predicate will become true. We begin by considering an atomic formula 


P=(Si > Ci) 


Suppose that at a given instant t at which S^t) = Sj, P is false; that is, S{<Ci. Then the interval of 
time that will elapse before P can become true is bounded by the minimum value 


T min (true{P)) 


{Ci - Si)/ri U if r t U > 0 
oc otherwise 


and the maximum value 


'Pmax{t r ue(P)) 


(Ci - Si)/ri L ifr^>0 
oo otherwise 


where, as before, r ^ and r p are the lower and upper bounds of S, respectively. 


If, at the instant t, P is true, then clearly T m i n (true(P)) — T max (true(P )) = 0. 


Similarly, if P is given by 


P=(S, < Ci) 


then if, at the instant t, P is true, T m i n (true(P )) 
interval is 


Tmiii(t rue (P)) ~ 


(Ci 

oc 


= T max (true(P )) = 0; otherwise, the minimum 

- Si)/ri L if r( L < 0 
otherwise 
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and the maximum interval is 


Tmax{t ru c{P)) — 


(' Ci - Si)/ri U if ri U < 0 
oo otherwise 


For conjunction of two predicates, P = P1AP2, it is clear that 

Tmin ( tvue{P )) — w(ix{T>ijii n {tvue(Pi )), T 7r ii n {tvue{p2))} 

Tjnax (true(P)) = max{ T max (true(P\)), T max {true(P 2 ))} 
and for disjunction of two predicates, P = P1VP2 

Tmin ( tvuc{P )) — T 7 iiu{T m i n {tru 6 (Pi)) , T in i n (tvue(P2 )) } 

Tmax (true(P)) = min{T m ax{true(Pi)), Tmax ( true(P 2 ))} 

Also, if a predicate is always false: P = false, then T m i n (true(P )) = T ma x{true(P )) = 00. 


Now, the dynamic transition ( q,G,q ') G DT^(q, Q^) will be preempted by another dynamic tran- 
sition, provided I q , the invariant of q, becomes false before G Awp(q,G,q') becomes true. The earliest 
time that G A wp(q,G,q') will become true is T m i n (G A wp(q,G,q r )) and the latest time that I q will 
become false is given by T max (false(I q )) = T max (true(->I q )). It is clear that to ensure that the 
transition ( q,G,q ') will not take place, it must be required that the following preemptive condition 2 


pc{q,G,q') = (T min (true(G A wp(q, G,q'))) > T max {f alse(I q ))) 


be satisfied. Therefore, we shall split the configuration q into two subconfigurations q\ and q 2 , by 
partitioning the invariant I q as 


Iqi = Iq A pc(q, G, q') 

Iq 2 = I q A -<pc(q, G,q') 

Clearly, the dynamics of and the transitions leaving and entering the configurations q\ and q 2 are the 
same as for q, except that the transition (qi,G,q f ) is now impossible. 

If there are more than one illegal dynamic transition at q, then we shall split q into q\ and q 2 as 
follows. 

Iqi =Iq A ^\q,G,q')£DT b {q,Q b )'P cl ^TG,q')) 

Iq 2 =IqA ^{A^ G ^ )eDTb ^Q b) pc{q,G,q')) 


^We take the convention that if T m i n (true(G A wp(q, G,q f ))) = oo, then pc(q, G, q l ) — true even if 

Tmaxif alse(Iq)) = oo. 



General case That is, we require neither ET g (q,Q b ) = 0 nor DT g {q,Q b ) = 0. 

In this general case, we can either rely on legal dynamic transitions to preempt the illegal dynamic 
transitions or, if this does not happen, force some legal event transitions. Therefore, we shall split q 
into <71 and <72 as follows . 3 

7 <?1 = Iq A ((A (<7iG Y)€£>T 6 (< 7 ,Q 6 )P c (9,G,9 / )) V (q,a,q')€ET g (q,Q b ) w P(<h & ?'))) 

7 92 =/ ? A (- , ( A ( <? ,G, g ')e-DT 6 (^Q 6 )P c (9» G -9 / )) A -(V( 9 , 2 , g /) € £r 9 (^g 6 )™P(9> <?'))) 

The condition under which a legal event transition (q,g_,q') needs to be forced is now given by 4 

critical (Ig^ A wp{q,a , g') A (-'(A (g G Y)GDr 6 ( 9 ,g 6 )P c (^ G,q'))) 


Note that if we adopt the convention that 

%,G,q')eDT b (q,Q b )P c (Q^ «') = */ DT b (q, Q b ) = 0 

V ( 9 ,£, 9 ')GCT 9 (< 7 ,g 6 ) O') = f alse if ET g (q, Q b ) = 0 

then this general case covers all the cases above, including the case when DT b (q, Q b ) = 0. 

From the above discussions, we can now formally describe our synthesis algorithm. 

Algorithm 1 (Control Synthesis) 

Input 


• The model of the system 


CHM = (Q,Z,D,I,E,(g o,x 0 )) 
• The set of illegal configurations 


Qb^Q 


Output 

• The controller 


C = (Q c ,'Z c ,D c ,I c ,E c ,(q c 0 ,x c o)) 


O . 

J If (q,G,q ) e DT^q.Qiy) cannot be prevented from occurring, then we must consider q as illegal. In that case 
Iq * = false and I q2 = I q . 

4 There is a possible complication if the newly defined guards form an instantaneous loop of consecutive transitions. If 
this occurs, further analysis will be required. 
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Initialization 


1. Set of bad configurations 


BC := Q b - f 


2. Set of pending configurations 


PC := Q — Q b ; 


3. New set of pending configurations 


NPC := 0; 


4. For each qePC, set its configuration origin as 


CO(q) = <?; 


Iteration 

5. For all q £ PC do 

kl : = J q A ^\q,G,q')eDT b {q,BC)P c ^ G N')) V ( V {q,a,q')&ET g {q,BC) w V{^ GO))? 

Iq 2 := A (“'(A (q ! G,q')eDT b (q,BC)P c ( ( E G ’ $')) A ^ {q,a,q')eET g {q,BC) w P^' ^ )))'■> 

If I qi ^ false , then 

iVPC := NFC U {gi}; 

CO(gi) := CO(<?); 

If Iq 2 7 ^ false, then 


PC := BCU{ 92 }; 


6. If PC = NPC, go to 8 

7. Set 


PC := NPC ; 
iVPC := 0; 


Go to 5 
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Construction of C 


8. Define vertices, events, and dynamics 

Q c := PC] 

S C :=EU {a:ae £}; 

D c := 0; 

9. Define transitions 

E c := {{q,critical(I q ) Awp{q,a,q') A (i(A ^G, q '')eDT b (q,BC)P c ^' G ^''^ : 

q,q'€Q c A(CO(q),<L,CO(q'))eE}] 

E c := E c U {( q,wp(q,a,q ') A d -* a,q’) : <?, q'eQ c A(CO(q),a, CO{q'))eE}] 

10. End 

Therefore, the controller C has no dynamics. Its vertices are copies of the legal configurations of 
CHM that survive after the partition. Its events include the output events a and the input events & from 
the environment or other controllers. Its transitions are of two types: (1) dynamic transitions that are 
triggered when the CHM is about to become potentially illegal, and (2) guarded event transitions that 
are triggered by input events. 

Another controller D can be embedded into C as follows. First, all the output events a in D are 
replaced by cr to obtain D. Then the embedded control system is given by 

CHM \\C\\D 


We can now prove the following. 


Theorem 1 If Algorithm 1 terminates in a finite number of steps and no sequence of instantaneous 
transitions forms a loop, then the controller synthesized is the minimally restrictive legal controller in 
the following sense. 

1. For any controller D, an execution in CHM\\C\\D will never visit illegal configurations Q^. 

2. For any legal controller D, an execution is possible in CHM\\D if and only if it is possible 
in CHM\\C\\D. 


Proof 

Since Algorithm 1 terminates in a finite number of steps and no sequence of instantaneous transitions 
forms a loop, the controller is well defined. In particular, time progresses as execution continues and 
during any finite interval of time only a finite number of transitions take place. 
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To prove part 1, it is sufficient to show that an execution in CHM\\C\\D will only visit configu- 
rations in 


Q c QQ-Qb 


If this is not the case, then there exists an execution 


90 — » 91 


*Qn — 1 


Cn,tn 


9n 


such that 90i 9lt 9n-l € Q c but 9n £ Q c - 

Let us consider the transition from q n -\ to q n . It cannot be an event transition because such illegal 
event transitions are not permitted by C. If it is a dynamic transition, then, since it is not preempted at 
q n -\, it implies that q n -\ & Q c , a contradiction. 


To prove part 2, let us assume that 


e\,ti 

90 — » 91 


GnJn 

*Qn - 1 * 9n 


is apossible execution of CHM\\D but the last transition from q n -\ to q n is impossible in CHM\\C\\D; 
that is, q n £ Q c . Then by our construction of q n , there exists a continuation of the execution in CHM\\D 


£n+ 1 1 

9n * 9n+ 1 * ••• *’9n+m 

that will lead to an illegal configuration q n +m € Qb ■ This execution cannot be prevented by D, a 
contradiction to the hypothesis that D is legal. 

On the other hand, if 


90 


e\,t\ 


91 


Qn - 1 


* Qn 


is a possible execution of CHM\\C\\D but the last transition from g n _ i to q n is impossible in CHM\\D, 
then this last transition must be triggered by a dynamic transition in C when the following guard becomes 
true: 


G c = critical (I A wp(q n -i,cr, q n ) A (^(A( (jTi _ liG)9 /)€£>r 6 ( 9n _i,SC)P c (9n-l J G, q'))) 

Since the transition (, q n -\G c , 9n) does not take place in CHM\\D, by our construction of G c , the next 
transition 


Qn — 1 



could lead to q' n 0 Q c . By the same argument as above, we conclude that D is illegal, a contradiction. 
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5 STEAM BOILER EXAMPLE 


In this section, we shall illustrate application of the control synthesis algorithm developed in the 
previous section by synthesizing a controller for the familiar steam boiler example that was proposed 
in reference 19 as a benchmark problem for modeling and verification of hybrid systems (see also, e.g., 
references 20 and 2 1 ). This example was proposed as a benchmark problem because it has many essential 
properties that are found in some commonly used industrial processes, such as chemical reactors, oil 
refineries, etc. 

We use a simplified model of the steam boiler described in reference 19. Some parameters are set 
at the same values as in reference 20. This simplified model captures the essence of the control problem 
addressed in this paper. 

The steam boiler consists of a water tank (boiler) equipped with two pumps (instead of four pumps 
as in reference 19). Each pump can supply water to the boiler at the rate of 4 liters/sec. The pump can 
be switched on (event start.i ) and off (event stopJ ) by a controller. Due to the fact that the pump 
cannot balance the presure inside the boiler instantaneously, there is a five-second delay before water 
starts pouring into the boiler after the pump is switched on. 

Steam is generated by an unmodeled mechanism. The rate at which steam is generated is therefore 
nondeterministic. But we do know that the rate is bounded between 0 and 6 liters/sec. 

The control objective is to maintain the water level L in the boiler between the minimal level of 
5 liters and the maximal level of 220 liters. This is achieved by turning the two pumps on and off. 
Since we are interested in synthesizing the minimally restrictive controller, our controller will accept 
(i.e., permit) all behaviors (turning pumps on and off) that do not imply possible violation of the level 
constraints and will intervene by forcing the pumps (on or off) only whenever it is absolutely necessary 
to do so in order to guarantee constraint satisfaction. 

The controller can sample the water level in the boiler only every five seconds. Since this implies 
sampled decision making, there is no loss in generality in assuming that control (turning the pumps on 
and off) can only be applied at the sampling instants. 

In summary, the steam boiler to be controlled is modeled by the CHM in figure 3. 

As stated above, the parameters are given by 

Pi =4, P 2 = 4, 

v L = 0 , v H = 6 t 

Lp = 5, Lfj = 220 

Without changing the nature of the problem, but to avoid nondeterminism in the controller, we shall 
assume that Pump 1 will be turned on before Pump 2 can be turned on; and Pump 1 cannot be turned 
off before Pump 2 is turned off. Therefore, the pump logic is shown in figure 4. 
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Figure 3. Steam boiler system. 


Thus, the configurations of the CHM to be controlled can be denoted by the legal configurations 

q 1 =< of f\, 0 // 2 , normal > 
q 2 =< starting\,of f 2 , normal > 

<j 3 =< on\,of / 2 , normal > 
q 4 =< startingi, starting 2 , normal > 
q 3 =< on\, starting 2 , normal > 
q^ =< on\,on 2 ,normal > 

and illegal configurations where normal ([ L > 5] A [L < 220]) is replaced by high ([L > 220]) or 
low ({ L < 5]). That is, 

Qh =< high > U < low > 

Because of the delays in turning the pumps on and the delays caused by sampling, there are config- 
urations in < normal > from which unavoidable dynamic transitions may lead to illegal configurations 
in Qb- Therefore, we must partition < normal > properly using the synthesis algorithm. 
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Figure 4. Pump logic. 


Before applying the algorithm, we first replace the guarded event transitions by dynamic and event 
transitions. Also, note that since C\ = C 2 - C whenever they are not equal to 0 or 5, only one clock 
is sufficient (to be denoted by C). Thus, the equivalent CHM is shown in figure 5, where, for clarity, 
the illegal configurations are not drawn. 

We shall only illustrate how the algorithm performs on q G and q 6 , where 

I q 6 = [L > 5] A \L < 220] A [C < 5] 

/ 6 , = [L > 5] A [L < 220] A [C > 5] 

By our algorithm, 

wp(q Q ' , stop .2 , g 3 ) = [L > 5] A [L < 220] 

Therefore, q G> will not be split. On the other hand, q G will be split as follows (note that at %, L € [2, 8]). 
pc(q G , [L > 220], < illegal >) 

= (T min ([L > 220]) > Tmax([L < 5] V [L > 220] V [C > 5])) 

= ((220 — L )/ 8 > mm{oo, (220 — L)j 8, 5 — C}) 

= ((220 - L)f 8 > (5 - O) 

= (L< 180 + SC) 
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Figure 5. Composite hybrid machine. 


Similarly, 

pc(q 6 , [L < 5], < illegal >) 

= (T min ([L < 5]) > Tmax([L < 5] V [L > 220] V [C > 5])) 

= (oo > Tmax{{L < 5] V [L > 220] V [C > 5])) 

= true 

Therefore, q Q will be split into qf and q% with invariants 

I q e = I q 6 A pc(q Q , [L > 220], < illegal >) A pc(q Q , [ L < 5], < illegal >) 

1 = [L > 5] A [L < 220] A [C < 5] A [L < 180 + 8C] 

= [L > 5] A [C < 5] A [L < 180 + 8 C] 

/ 6 = [L > 5 A [L < 220] A [C < 5] A \L > 180 + 8 C] 



















r> f nf 

In the next iteration, q° will be analyzed as follows. There are five transitions leaving q° : 


{q 6 \ [C>5],gf) 
(q G ',[C>b},q G ) 

(q G , [L < 5], < illegal >) 
(q G> , [L > 220], < illegal >) 
{q 6 ' , stop-2, q 3 ') 


It can be calculated that 

pc{q 6 \ [C>5},q§) 

= (r mm ([C>5] A [L > 180]) > Tmax([L < 5] V [L > 220] V [C < 5])) 

= (mox{0, (180 - L)( 8} > min{ oo, (220 - L)/ 2, 0}) 

= ((180 -L/8 > 0) 

= [L< 180] 

pc(q b , [L < 5], < illegal >) = true 
pc(q G , [L > 220], < illegal >) = true 
wp(q G , stopJ2, q 3 ) = [L > 5] A [L < 220] 

p/ 

Therefore will not be split and event stopJl will be forced under the condition 

critical(Iq 6 >) A wp(q G ,stopJ2,q 3 )A 

->( pc(q G , [C>5],(/2) /\pc{q G> , [ L < 5], < illegal >) A pc(q G , [L > 220], < illegal >)) 

= ([L < 5] V [L > 220] V [C < 5]) A [L > 180] A [L > 5] A [L < 220] 

Since [C < 5 },[L > 5],[L < 220] are satisfied at q G ' , the forcing will actually take place when 
[L > 180]. 

Table 1 summarizes the results of the synthesis algorithm at each iteration. 
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Table 1 . Steam boiler controller synthesis 



Initial 

First iteration 

Second iteration 

Third iteration 

9 1 

[L>5] 
A[L<220] 
A[C < 5] 

[L > 35 - 6 C] 
A[L<220] 

A [C < 5] 

[L > 35 - 6 C] 
A[L<220] 

A [C < 5] 

[L > 65 - 6 C] 
A[L<220] 

A [C < 5] 

A 

[L>5] 

A[L<220] 

A[C>5] 

[L> 5] 

A [L <220] 
A[C>5] 

[L > 35] 

A[L<220] 

A[C>5] 

[L > 35] 

A[L<220] 

A[C>5] 

<z 2 

[L>5] 
A[L<220] 
A [C < 5] 

[L > 35 - 6 C] 
A[L<220] 

A [C < 5] 

[L > 35 - 6C] 
A[L<220] 

A [C < 5] 

[L > 45 - 6 C\ 
A[L<220] 

A[C < 5] 

Q 2 ' 

[L> 5] 

A[L<220] 

A[C>5] 

[L>5] 

A[L<220] 

A[C>5] 

[L > 35] 

A[L<220] 

A[C>5] 

[L > 35] 

A[L<220] 

A[C>5] 

q 3 

[L>5] 
A[L<220] 
A [C < 5] 

[L > 15 - 2 C] 
A[L<200 + 4C] 
A[C < 5] 

[L > 15 - 2 C] 
A[L<200 + 4C] 
A [C < 5] 

[L > 25 - 2 C] 
A[L<200 + AC] 
A [C < 5] 


[L>5] 

A[L<220] 

A[C>5] 

[L> 5] 

A[L<220] 

A[C>5] 

[L > 15] 

A[L<220] 

A[C>5] 

[L > 15] 

A[L<220] 

A[C>5] 

9 4 

[L> 5] 
A[L<220] 
A [C < 5] 

[L > 35 - 6 C] 
A[L<220] 

A[C < 5] 

[L > 35 - 6C] 
A[L<220] 

A [C < 5] 

[L > 35 - 6 C] 
A[L<220] 

A [C < 5] 

9 5 

[L> 5] 
A[L<220] 
A [C < 5] 

[L > 15 - 2 C] 

A [L< 200 + 4C] 
A [C < 5] 

[L > 15 - 2 C] 

A [L< 200 + 4C] 
A[C < 5] 

[L > 15 - 2 C] 

A [L< 200 + AC] 
A [C < 5] 


[L>5] 
A[L<220] 
A [C < 5] 

[L> 5] 

A [L < 180 + 8C] 
A [C < 5] 

[L> 5] 

A [L< 180 + 8C] 
A[C < 5] 

[L> 5] 

A [L< 180 + 8C] 
A [C < 5] 

q 6 ' 

[L>5] 

A[L<220] 

A[C>5] 

[L>5] 

A[L<220] 

A[C>5] 

[L> 5] 

A[L<220] 

A[C>5] 

[L> 5] 

A[L<220] 

A[C>5] 


Finally, the minimally restrictive controller is shown in figure 6. 
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